package com.google.auth.oauth2;

import com.google.api.client.json.GenericJson;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.o;
import com.microsoft.identity.common.java.AuthenticationConstants;
import com.microsoft.identity.common.java.telemetry.TelemetryEventStrings;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.math.BigDecimal;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.Executor;
import java.util.regex.Pattern;
import org.bouncycastle.pqc.jcajce.provider.gmss.dS.qYEcB;
import tt.C1705eJ;
import tt.InterfaceC1387bF;
import tt.InterfaceC2840p80;
import tt.N10;

/* loaded from: classes.dex */
public abstract class ExternalAccountCredentials extends GoogleCredentials {
    private static final String CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
    static final String DEFAULT_TOKEN_URL = "https://sts.{UNIVERSE_DOMAIN}/v1/token";
    static final String EXECUTABLE_SOURCE_KEY = "executable";
    static final String EXTERNAL_ACCOUNT_FILE_TYPE = "external_account";
    static final String PROGRAMMATIC_METRICS_HEADER_VALUE = "programmatic";
    private static final long serialVersionUID = 8049126194174465023L;
    private final String audience;
    private final String clientId;
    private final String clientSecret;
    private final CredentialSource credentialSource;
    private f environmentProvider;
    protected ImpersonatedCredentials impersonatedCredentials;
    private ExternalAccountMetricsHandler metricsHandler;
    private final Collection<String> scopes;
    private final ServiceAccountImpersonationOptions serviceAccountImpersonationOptions;
    private final String serviceAccountImpersonationUrl;
    private final String subjectTokenType;
    private final String tokenInfoUrl;
    private final String tokenUrl;
    protected transient InterfaceC1387bF transportFactory;
    private final String transportFactoryClassName;
    private final String workforcePoolUserProject;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public static abstract class CredentialSource implements Serializable {
        private static final long serialVersionUID = 8204657811562399944L;

        /* JADX INFO: Access modifiers changed from: package-private */
        public CredentialSource(Map<String, Object> map) {
            N10.s(map);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public static final class ServiceAccountImpersonationOptions implements Serializable {
        private static final int DEFAULT_TOKEN_LIFETIME_SECONDS = 3600;
        private static final int MAXIMUM_TOKEN_LIFETIME_SECONDS = 43200;
        private static final int MINIMUM_TOKEN_LIFETIME_SECONDS = 600;
        private static final String TOKEN_LIFETIME_SECONDS_KEY = "token_lifetime_seconds";
        private static final long serialVersionUID = 4250771921886280953L;
        final boolean customTokenLifetimeRequested;
        private final int lifetime;

        ServiceAccountImpersonationOptions(Map<String, Object> map) {
            boolean containsKey = map.containsKey(TOKEN_LIFETIME_SECONDS_KEY);
            this.customTokenLifetimeRequested = containsKey;
            if (!containsKey) {
                this.lifetime = 3600;
                return;
            }
            try {
                Object obj = map.get(TOKEN_LIFETIME_SECONDS_KEY);
                if (obj instanceof BigDecimal) {
                    this.lifetime = ((BigDecimal) obj).intValue();
                } else if (map.get(TOKEN_LIFETIME_SECONDS_KEY) instanceof Integer) {
                    this.lifetime = ((Integer) obj).intValue();
                } else {
                    this.lifetime = Integer.parseInt((String) obj);
                }
                int i = this.lifetime;
                if (i < MINIMUM_TOKEN_LIFETIME_SECONDS || i > MAXIMUM_TOKEN_LIFETIME_SECONDS) {
                    throw new IllegalArgumentException(String.format("The \"token_lifetime_seconds\" field must be between %s and %s seconds.", Integer.valueOf(MINIMUM_TOKEN_LIFETIME_SECONDS), Integer.valueOf(MAXIMUM_TOKEN_LIFETIME_SECONDS)));
                }
            } catch (ArithmeticException e) {
                e = e;
                throw new IllegalArgumentException("Value of \"token_lifetime_seconds\" field could not be parsed into an integer.", e);
            } catch (NumberFormatException e2) {
                e = e2;
                throw new IllegalArgumentException("Value of \"token_lifetime_seconds\" field could not be parsed into an integer.", e);
            }
        }

        int getLifetime() {
            return this.lifetime;
        }
    }

    /* loaded from: classes.dex */
    public enum SubjectTokenTypes {
        AWS4("urn:ietf:params:aws:token-type:aws4_request"),
        JWT("urn:ietf:params:oauth:token-type:jwt"),
        SAML2("urn:ietf:params:oauth:token-type:saml2"),
        ID_TOKEN("urn:ietf:params:oauth:token-type:id_token");

        public final String value;

        SubjectTokenTypes(String str) {
            this.value = str;
        }
    }

    /* loaded from: classes.dex */
    class a implements InterfaceC2840p80 {
        final /* synthetic */ InterfaceC2840p80 a;

        a(InterfaceC2840p80 interfaceC2840p80) {
            this.a = interfaceC2840p80;
        }

        @Override // tt.InterfaceC2840p80
        public void a(Map map) {
            this.a.a(GoogleCredentials.addQuotaProjectIdToRequestMetadata(ExternalAccountCredentials.this.quotaProjectId, map));
        }

        @Override // tt.InterfaceC2840p80
        public void onFailure(Throwable th) {
            this.a.onFailure(th);
        }
    }

    /* loaded from: classes.dex */
    public static abstract class b extends GoogleCredentials.a {
        protected String f;
        protected String g;
        protected String h;
        protected String i;
        protected CredentialSource j;
        protected f k;
        protected InterfaceC1387bF l;
        protected String m;
        protected String n;
        protected String o;
        protected Collection p;
        protected String q;
        protected ServiceAccountImpersonationOptions r;
        protected ExternalAccountMetricsHandler s;

        /* JADX INFO: Access modifiers changed from: protected */
        public b() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public b(ExternalAccountCredentials externalAccountCredentials) {
            super(externalAccountCredentials);
            this.l = externalAccountCredentials.transportFactory;
            this.f = externalAccountCredentials.audience;
            this.g = externalAccountCredentials.subjectTokenType;
            this.h = externalAccountCredentials.tokenUrl;
            this.i = externalAccountCredentials.tokenInfoUrl;
            this.m = externalAccountCredentials.serviceAccountImpersonationUrl;
            this.j = externalAccountCredentials.credentialSource;
            this.n = externalAccountCredentials.clientId;
            this.o = externalAccountCredentials.clientSecret;
            this.p = externalAccountCredentials.scopes;
            this.k = externalAccountCredentials.environmentProvider;
            this.q = externalAccountCredentials.workforcePoolUserProject;
            this.r = externalAccountCredentials.serviceAccountImpersonationOptions;
            this.s = externalAccountCredentials.metricsHandler;
        }

        public b A(String str) {
            this.q = str;
            return this;
        }

        public b n(String str) {
            this.f = str;
            return this;
        }

        public b o(String str) {
            this.n = str;
            return this;
        }

        public b p(String str) {
            this.o = str;
            return this;
        }

        public b q(CredentialSource credentialSource) {
            this.j = credentialSource;
            return this;
        }

        public b r(InterfaceC1387bF interfaceC1387bF) {
            this.l = interfaceC1387bF;
            return this;
        }

        public b s(String str) {
            super.l(str);
            return this;
        }

        public b t(Collection collection) {
            this.p = collection;
            return this;
        }

        public b u(Map map) {
            this.r = new ServiceAccountImpersonationOptions(map);
            return this;
        }

        public b v(String str) {
            this.m = str;
            return this;
        }

        public b w(String str) {
            this.g = str;
            return this;
        }

        public b x(String str) {
            this.i = str;
            return this;
        }

        public b y(String str) {
            this.h = str;
            return this;
        }

        public b z(String str) {
            super.m(str);
            return this;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ExternalAccountCredentials(b bVar) {
        super(bVar);
        InterfaceC1387bF interfaceC1387bF = (InterfaceC1387bF) com.google.common.base.d.a(bVar.l, OAuth2Credentials.getFromServiceLoader(InterfaceC1387bF.class, l.e));
        this.transportFactory = interfaceC1387bF;
        this.transportFactoryClassName = (String) N10.s(interfaceC1387bF.getClass().getName());
        this.audience = (String) N10.s(bVar.f);
        this.subjectTokenType = (String) N10.s(bVar.g);
        this.credentialSource = bVar.j;
        this.tokenInfoUrl = bVar.i;
        String str = bVar.m;
        this.serviceAccountImpersonationUrl = str;
        this.clientId = bVar.n;
        this.clientSecret = bVar.o;
        String str2 = bVar.h;
        if (str2 == null) {
            this.tokenUrl = DEFAULT_TOKEN_URL.replace("{UNIVERSE_DOMAIN}", getUniverseDomain());
        } else {
            this.tokenUrl = str2;
        }
        Collection collection = bVar.p;
        this.scopes = (collection == null || collection.isEmpty()) ? Arrays.asList(CLOUD_PLATFORM_SCOPE) : bVar.p;
        f fVar = bVar.k;
        this.environmentProvider = fVar == null ? SystemEnvironmentProvider.getInstance() : fVar;
        ServiceAccountImpersonationOptions serviceAccountImpersonationOptions = bVar.r;
        this.serviceAccountImpersonationOptions = serviceAccountImpersonationOptions == null ? new ServiceAccountImpersonationOptions(new HashMap()) : serviceAccountImpersonationOptions;
        String str3 = bVar.q;
        this.workforcePoolUserProject = str3;
        if (str3 != null && !isWorkforcePoolConfiguration()) {
            throw new IllegalArgumentException("The workforce_pool_user_project parameter should only be provided for a Workforce Pool configuration.");
        }
        validateTokenUrl(this.tokenUrl);
        if (str != null) {
            validateServiceAccountImpersonationInfoUrl(str);
        }
        ExternalAccountMetricsHandler externalAccountMetricsHandler = bVar.s;
        this.metricsHandler = externalAccountMetricsHandler == null ? new ExternalAccountMetricsHandler(this) : externalAccountMetricsHandler;
    }

    protected ExternalAccountCredentials(InterfaceC1387bF interfaceC1387bF, String str, String str2, String str3, CredentialSource credentialSource, String str4, String str5, String str6, String str7, String str8, Collection<String> collection) {
        this(interfaceC1387bF, str, str2, str3, credentialSource, str4, str5, str6, str7, str8, collection, null);
    }

    protected ExternalAccountCredentials(InterfaceC1387bF interfaceC1387bF, String str, String str2, String str3, CredentialSource credentialSource, String str4, String str5, String str6, String str7, String str8, Collection<String> collection, f fVar) {
        super(null, str6);
        InterfaceC1387bF interfaceC1387bF2 = (InterfaceC1387bF) com.google.common.base.d.a(interfaceC1387bF, OAuth2Credentials.getFromServiceLoader(InterfaceC1387bF.class, l.e));
        this.transportFactory = interfaceC1387bF2;
        this.transportFactoryClassName = (String) N10.s(interfaceC1387bF2.getClass().getName());
        this.audience = (String) N10.s(str);
        this.subjectTokenType = (String) N10.s(str2);
        this.tokenUrl = (String) N10.s(str3);
        this.credentialSource = (CredentialSource) N10.s(credentialSource);
        this.tokenInfoUrl = str4;
        this.serviceAccountImpersonationUrl = str5;
        this.clientId = str7;
        this.clientSecret = str8;
        this.scopes = (collection == null || collection.isEmpty()) ? Arrays.asList(CLOUD_PLATFORM_SCOPE) : collection;
        this.environmentProvider = fVar == null ? SystemEnvironmentProvider.getInstance() : fVar;
        this.workforcePoolUserProject = null;
        this.serviceAccountImpersonationOptions = new ServiceAccountImpersonationOptions(new HashMap());
        validateTokenUrl(str3);
        if (str5 != null) {
            validateServiceAccountImpersonationInfoUrl(str5);
        }
        this.metricsHandler = new ExternalAccountMetricsHandler(this);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ExternalAccountCredentials fromJson(Map<String, Object> map, InterfaceC1387bF interfaceC1387bF) {
        N10.s(map);
        N10.s(interfaceC1387bF);
        String str = (String) map.get("audience");
        String str2 = (String) map.get("subject_token_type");
        String str3 = (String) map.get("token_url");
        Map map2 = (Map) map.get("credential_source");
        String str4 = (String) map.get("service_account_impersonation_url");
        String str5 = (String) map.get("token_info_url");
        String str6 = (String) map.get("client_id");
        String str7 = (String) map.get("client_secret");
        String str8 = (String) map.get("quota_project_id");
        String str9 = (String) map.get("workforce_pool_user_project");
        String str10 = (String) map.get("universe_domain");
        Map map3 = (Map) map.get("service_account_impersonation");
        if (map3 == null) {
            map3 = new HashMap();
        }
        return isAwsCredential(map2) ? AwsCredentials.newBuilder().I(interfaceC1387bF).E(str).N(str2).P(str3).O(str5).H(new AwsCredentialSource(map2)).M(str4).l(str8).F(str6).G(str7).L(map3).m(str10).h() : isPluggableAuthCredential(map2) ? PluggableAuthCredentials.newBuilder().H(interfaceC1387bF).D(str).M(str2).O(str3).N(str5).G(new PluggableAuthCredentialSource(map2)).L(str4).l(str8).E(str6).F(str7).Q(str9).K(map3).m(str10).h() : IdentityPoolCredentials.newBuilder().H(interfaceC1387bF).D(str).M(str2).O(str3).N(str5).G(new IdentityPoolCredentialSource(map2)).L(str4).l(str8).E(str6).F(str7).Q(str9).K(map3).m(str10).h();
    }

    public static ExternalAccountCredentials fromStream(InputStream inputStream) {
        return fromStream(inputStream, l.e);
    }

    public static ExternalAccountCredentials fromStream(InputStream inputStream, InterfaceC1387bF interfaceC1387bF) {
        N10.s(inputStream);
        N10.s(interfaceC1387bF);
        try {
            return fromJson((GenericJson) new C1705eJ(l.f).a(inputStream, StandardCharsets.UTF_8, GenericJson.class), interfaceC1387bF);
        } catch (ClassCastException | IllegalArgumentException e) {
            throw new CredentialFormatException("An invalid input stream was provided.", e);
        }
    }

    private static boolean isAwsCredential(Map<String, Object> map) {
        return map.containsKey("environment_id") && ((String) map.get("environment_id")).startsWith("aws");
    }

    private static boolean isPluggableAuthCredential(Map<String, Object> map) {
        return map.containsKey(EXECUTABLE_SOURCE_KEY);
    }

    private static boolean isValidUrl(String str) {
        URI create;
        try {
            create = URI.create(str);
        } catch (Exception unused) {
        }
        return (create.getScheme() == null || create.getHost() == null || !AuthenticationConstants.HTTPS_PROTOCOL_STRING.equals(create.getScheme().toLowerCase(Locale.US))) ? false : true;
    }

    private void readObject(ObjectInputStream objectInputStream) {
        objectInputStream.defaultReadObject();
        this.transportFactory = (InterfaceC1387bF) OAuth2Credentials.newInstance(this.transportFactoryClassName);
    }

    private boolean shouldBuildImpersonatedCredential() {
        return this.serviceAccountImpersonationUrl != null && this.impersonatedCredentials == null;
    }

    static void validateServiceAccountImpersonationInfoUrl(String str) {
        if (!isValidUrl(str)) {
            throw new IllegalArgumentException("The provided service account impersonation URL is invalid.");
        }
    }

    static void validateTokenUrl(String str) {
        if (!isValidUrl(str)) {
            throw new IllegalArgumentException("The provided token URL is invalid.");
        }
    }

    ImpersonatedCredentials buildImpersonatedCredentials() {
        if (this.serviceAccountImpersonationUrl == null) {
            return null;
        }
        return ImpersonatedCredentials.newBuilder().D(this instanceof AwsCredentials ? AwsCredentials.newBuilder((AwsCredentials) this).M(null).h() : this instanceof PluggableAuthCredentials ? PluggableAuthCredentials.newBuilder((PluggableAuthCredentials) this).L(null).h() : IdentityPoolCredentials.newBuilder((IdentityPoolCredentials) this).L(null).h()).y(this.transportFactory).E(ImpersonatedCredentials.extractTargetPrincipal(this.serviceAccountImpersonationUrl)).C(new ArrayList(this.scopes)).A(this.serviceAccountImpersonationOptions.lifetime).z(this.serviceAccountImpersonationUrl).h();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AccessToken exchangeExternalCredentialForAccessToken(p pVar) {
        if (shouldBuildImpersonatedCredential()) {
            this.impersonatedCredentials = buildImpersonatedCredentials();
        }
        ImpersonatedCredentials impersonatedCredentials = this.impersonatedCredentials;
        if (impersonatedCredentials != null) {
            return impersonatedCredentials.refreshAccessToken();
        }
        o.b d = o.d(this.tokenUrl, pVar, this.transportFactory.create().c());
        if (isWorkforcePoolConfiguration()) {
            GenericJson genericJson = new GenericJson();
            genericJson.setFactory(l.f);
            genericJson.put(qYEcB.YsDhS, (Object) this.workforcePoolUserProject);
            d.c(genericJson.toString());
        }
        com.google.api.client.http.d dVar = new com.google.api.client.http.d();
        dVar.set("x-goog-api-client", this.metricsHandler.getExternalAccountMetricsHeader());
        d.b(dVar);
        if (pVar.c() != null) {
            d.c(pVar.c());
        }
        return d.a().c().a();
    }

    public String getAudience() {
        return this.audience;
    }

    public String getClientId() {
        return this.clientId;
    }

    public String getClientSecret() {
        return this.clientSecret;
    }

    public CredentialSource getCredentialSource() {
        return this.credentialSource;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getCredentialSourceType() {
        return TelemetryEventStrings.Value.UNKNOWN;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public f getEnvironmentProvider() {
        return this.environmentProvider;
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public Map<String, List<String>> getRequestMetadata(URI uri) {
        return GoogleCredentials.addQuotaProjectIdToRequestMetadata(this.quotaProjectId, super.getRequestMetadata(uri));
    }

    @Override // com.google.auth.oauth2.OAuth2Credentials, com.google.auth.Credentials
    public void getRequestMetadata(URI uri, Executor executor, InterfaceC2840p80 interfaceC2840p80) {
        super.getRequestMetadata(uri, executor, new a(interfaceC2840p80));
    }

    public Collection<String> getScopes() {
        return this.scopes;
    }

    public String getServiceAccountEmail() {
        String str = this.serviceAccountImpersonationUrl;
        if (str == null || str.isEmpty()) {
            return null;
        }
        return ImpersonatedCredentials.extractTargetPrincipal(this.serviceAccountImpersonationUrl);
    }

    public ServiceAccountImpersonationOptions getServiceAccountImpersonationOptions() {
        return this.serviceAccountImpersonationOptions;
    }

    public String getServiceAccountImpersonationUrl() {
        return this.serviceAccountImpersonationUrl;
    }

    public String getSubjectTokenType() {
        return this.subjectTokenType;
    }

    public String getTokenInfoUrl() {
        return this.tokenInfoUrl;
    }

    public String getTokenUrl() {
        return this.tokenUrl;
    }

    @Override // com.google.auth.oauth2.GoogleCredentials, com.google.auth.Credentials
    public String getUniverseDomain() {
        try {
            return super.getUniverseDomain();
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    public String getWorkforcePoolUserProject() {
        return this.workforcePoolUserProject;
    }

    public boolean isWorkforcePoolConfiguration() {
        return this.workforcePoolUserProject != null && Pattern.compile("^//iam.googleapis.com/locations/.+/workforcePools/.+/providers/.+$").matcher(getAudience()).matches();
    }

    public abstract String retrieveSubjectToken();
}
